STIGQter STIGQter: STIG Summary: IBM DB2 V10.5 LUW Security Technical Implementation Guide Version: 1 Release: 4 Benchmark Date: 25 Oct 2019:

DB2 must use NSA-approved cryptography to protect classified information in accordance with the data owners requirements.

DISA Rule

SV-89271r2_rule

Vulnerability Number

V-74597

Group Title

SRG-APP-000416-DB-000380

Rule Version

DB2X-00-008600

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

Setting instance configuration parameters so that the instance is strictly compliant with NIST SP 800-131A.

Set the DB2 registry variable DB2COMM to SSL:

$db2set DB2COMM=SSL

Set the DB2 database manager configuration parameter SSL_VERSIONS to TLSV12:

$db2 update dbm cfg using SSL_VERSIONS TLSV12

Set the DB2 database manager configuration parameter SSL_CIPHERSPECS to a symmetric algorithm key length that is greater than or equal to 112:

$db2 update dbm cfg using SSL_CIPHERSPECS TLS_RSA_WITH_AES_256_GCM_SHA384

Set the database manager configuration parameter SSL_SVC_LABEL to a certificate with RSA key length that is greater than or equal to 2048. That certificate must also have a digital signature with minimum SHA2.

Create the certificate. Example:

$gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "password" -size 2048 -sigalg SHA256WithRSA -label "myselfsigned_SHA2_2K" -dn "CN=myhost.mycompany.com,O=myOrganization, OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA"

$db2 update dbm cfg using SSL_SVR_LABEL myselfsigned_SHA_2K

Note: Here is an example of SSL set up on Linux:

1. Create a directory "ssl"
$mkdir ssl
2. Make sure gsk8capicmd_64 command in PATH $ export PATH=$PATH:/home/db2inst1/sqllib/gskit/bin
3. Make sure library is in path $ echo $LD_LIBRARY_PATH /home/db2inst1/sqllib/lib64:/home/db2inst1/sqllib/lib64/gskit:/home/db2inst1/sqllib/lib32
4. Go to ssl directory (/home/db2inst1/ssl)
5. Create Server key database
$db2inst1@potserver:~/ssl> gsk8capicmd_64 -keydb -create -db "mydbserver.kdb" -pw "password" -stash
$db2inst1@potserver:~/ssl> ls
$mydbserver.crl mydbserver.kdb mydbserver.rdb mydbserver.sth
6. To create a self-signed certificate with a label of myselfsigned, use the GSKCapiCmd command as shown in the following example:
$gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "password" -label "myselfsigned" -dn "CN=myhost.mycompany.com,O=myOrganization, OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA"
7. Extract the certificate you just created to a file, so that you can distribute it to computers running clients that will be establishing SSL connections to your DB2 server. For example, the following GSKCapiCmd command extracts the certificate to a file called mydbserver.arm:
$gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "password" -label "myselfsigned" -target "mydbserver.arm" -format ascii -fips
8. Set database manager configuration parameters:
$db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/ssl/mydbserver.kdb
$db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/ssl/mydbserver.sth
$db2 update dbm cfg using SSL_SVR_LABEL SSLLabel
$db2 update dbm cfg using SSL_SVCENAME 50602
9. Add the value SSL to the DB2COMM registry variable. For example:
$db2set -i db2inst1 DB2COMM=SSL
or
$db2set -i db2inst1 DB2COMM=SSL

Check Contents

If the database is in the unclassified environment, this is not applicable (NA).

Verify the instance configuration parameters so that the instance is strictly compliant with NIST SP 800-131A.

Check the DB2 registry variable DB2COMM is set to SSL:

$db2set all

If DB2COMM is not set to SSL, this is a finding.

Find the value of SSL_VERSIONS by running:

$db2 get dbm cfg

If SSL_VERSIONS is not set to TLSV12, this is a finding.

Find the value of SSL_CIPHERSPECS by running:

$db2 get dbm cfg

If SSL_CIPHERSPECS is not set to a symmetric algorithm key length that is greater than or equal to 112, this is a finding.

Find the value of SSL_SVC_LABEL by running:

$db2 get dbm cfg

If the parameter SSL_SVC_LABEL is not set to a certificate with RSA key length that is greater than or equal to 2048, this is a finding.

If the certificate does not have a digital signature with minimum SHA2, this is a finding.

The above settings ensure that all connections over SSL in any CLP or Java application strictly adhere to NIST SP 800-131A.

Vulnerability Number

V-74597

Documentable

False

Rule Version

DB2X-00-008600

Severity Override Guidance

If the database is in the unclassified environment, this is not applicable (NA).

Verify the instance configuration parameters so that the instance is strictly compliant with NIST SP 800-131A.

Check the DB2 registry variable DB2COMM is set to SSL:

$db2set all

If DB2COMM is not set to SSL, this is a finding.

Find the value of SSL_VERSIONS by running:

$db2 get dbm cfg

If SSL_VERSIONS is not set to TLSV12, this is a finding.

Find the value of SSL_CIPHERSPECS by running:

$db2 get dbm cfg

If SSL_CIPHERSPECS is not set to a symmetric algorithm key length that is greater than or equal to 112, this is a finding.

Find the value of SSL_SVC_LABEL by running:

$db2 get dbm cfg

If the parameter SSL_SVC_LABEL is not set to a certificate with RSA key length that is greater than or equal to 2048, this is a finding.

If the certificate does not have a digital signature with minimum SHA2, this is a finding.

The above settings ensure that all connections over SSL in any CLP or Java application strictly adhere to NIST SP 800-131A.

Check Content Reference

M

Target Key

3161

Comments